Ensure HTMLElementStack fails gracefully if it has a non-Element.
authorsimonjam@chromium.org <simonjam@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 May 2012 00:04:01 +0000 (00:04 +0000)
committersimonjam@chromium.org <simonjam@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 May 2012 00:04:01 +0000 (00:04 +0000)
https://bugs.webkit.org/show_bug.cgi?id=85167

Reviewed by Adam Barth.

Source/WebCore:

Test: Added to html5lib/resources/webkit02.dat

* html/parser/HTMLElementStack.cpp:
(WebCore::HTMLElementStack::oneBelowTop):
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processEndTag):

LayoutTests:

* html5lib/resources/webkit02.dat:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@115763 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/html5lib/resources/webkit02.dat
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLElementStack.cpp
Source/WebCore/html/parser/HTMLTreeBuilder.cpp

index 1d474de..7b7e169 100644 (file)
@@ -1,3 +1,12 @@
+2012-05-01  James Simonsen  <simonjam@chromium.org>
+
+        Ensure HTMLElementStack fails gracefully if it has a non-Element.
+        https://bugs.webkit.org/show_bug.cgi?id=85167
+
+        Reviewed by Adam Barth.
+
+        * html5lib/resources/webkit02.dat:
+
 2012-05-01  Christophe Dumez  <christophe.dumez@intel.com>
 
         [EFL] fast/loader/file-protocol-fragment.html needs rebaselining
index 8ea5538..905783d 100644 (file)
@@ -149,3 +149,11 @@ table
 |   <input>
 |     name="isindex"
 | <hr>
+
+#data
+<option><XH<optgroup></optgroup>
+#errors
+#document-fragment
+select
+#document
+| <option>
index bbaa3b6..8c84af5 100644 (file)
@@ -1,3 +1,17 @@
+2012-05-01  James Simonsen  <simonjam@chromium.org>
+
+        Ensure HTMLElementStack fails gracefully if it has a non-Element.
+        https://bugs.webkit.org/show_bug.cgi?id=85167
+
+        Reviewed by Adam Barth.
+
+        Test: Added to html5lib/resources/webkit02.dat
+
+        * html/parser/HTMLElementStack.cpp:
+        (WebCore::HTMLElementStack::oneBelowTop):
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::processEndTag):
+
 2012-05-01  Ryosuke Niwa  <rniwa@webkit.org>
 
         *Command.h files shouldn't be exported to WebKit layer
index 9cc3a03..2b57e34 100644 (file)
@@ -386,10 +386,12 @@ HTMLElementStack::ElementRecord* HTMLElementStack::topRecord() const
 
 Element* HTMLElementStack::oneBelowTop() const
 {
-    // We should never be calling this if it could be 0.
+    // We should never call this if there are fewer than 2 elements on the stack.
     ASSERT(m_top);
     ASSERT(m_top->next());
-    return m_top->next()->element();
+    if (m_top->next()->node()->isElementNode())
+        return m_top->next()->element();
+    return 0;
 }
 
 Element* HTMLElementStack::bottom() const
index 2b0c02e..5d5342b 100644 (file)
@@ -2193,7 +2193,7 @@ void HTMLTreeBuilder::processEndTag(AtomicHTMLToken& token)
     case InSelectMode:
         ASSERT(insertionMode() == InSelectMode || insertionMode() == InSelectInTableMode);
         if (token.name() == optgroupTag) {
-            if (m_tree.currentNode()->hasTagName(optionTag) && m_tree.oneBelowTop()->hasTagName(optgroupTag))
+            if (m_tree.currentNode()->hasTagName(optionTag) && m_tree.oneBelowTop() && m_tree.oneBelowTop()->hasTagName(optgroupTag))
                 processFakeEndTag(optionTag);
             if (m_tree.currentNode()->hasTagName(optgroupTag)) {
                 m_tree.openElements()->pop();